chore: migrate tekton tasks resulting host info to secrets

Signed-off-by: Adrian Riobo <[email protected]>

Makefile

@@ -25,6 +25,7 @@ define tkn_update
 	sed -e 's%<IMAGE>%$(1)%g' -e 's%<VERSION>%$(2)%g' tkn/template/infra-aws-mac.yaml > tkn/infra-aws-mac.yaml
 	sed -e 's%<IMAGE>%$(1)%g' -e 's%<VERSION>%$(2)%g' tkn/template/infra-aws-rhel.yaml > tkn/infra-aws-rhel.yaml
 	sed -e 's%<IMAGE>%$(1)%g' -e 's%<VERSION>%$(2)%g' tkn/template/infra-aws-windows-server.yaml > tkn/infra-aws-windows-server.yaml
+	sed -e 's%<IMAGE>%$(1)%g' -e 's%<VERSION>%$(2)%g' tkn/template/infra-azure-aks.yaml > tkn/infra-azure-aks.yaml
 	sed -e 's%<IMAGE>%$(1)%g' -e 's%<VERSION>%$(2)%g' tkn/template/infra-azure-rhel.yaml > tkn/infra-azure-rhel.yaml
 	sed -e 's%<IMAGE>%$(1)%g' -e 's%<VERSION>%$(2)%g' tkn/template/infra-azure-fedora.yaml > tkn/infra-azure-fedora.yaml
 	sed -e 's%<IMAGE>%$(1)%g' -e 's%<VERSION>%$(2)%g' tkn/template/infra-azure-windows-desktop.yaml > tkn/infra-azure-windows-desktop.yaml

hacks/azure/mapt-aks-role.json

@@ -0,0 +1,14 @@
+{
+  "Name": "Mapt AKS Operator",
+  "IsCustom": true,
+  "Description": "Can create aks clusters with mapt features.",
+  "Actions": [
+    "Microsoft.Authorization/roleAssignments/*"
+  ],
+  "NotActions": [],
+  "DataActions": [],
+  "NotDataActions": [],
+  "AssignableScopes": [
+    "/subscriptions/b0ad4737-8299-4c0a-9dd5-959cbcf8d81c"
+  ]
+}

oci/Containerfile

@@ -36,6 +36,8 @@ ENV AZ_CLI_VERSION 2.61.0
 # Pulumi plugins
 # renovate: datasource=github-releases depName=pulumi/pulumi-aws
 ARG PULUMI_AWS_VERSION=v6.37.1
+# Install this
+# https://releases.hashicorp.com/terraform-provider-aws/5.75.1/terraform-provider-aws_5.75.1_linux_amd64.zip
 # renovate: datasource=github-releases depName=pulumi/pulumi-aws
 ARG PULUMI_AWSX_VERSION=v2.3.0
 # renovate: datasource=github-releases depName=pulumi/pulumi-azure-native

tkn/infra-aws-fedora.yaml

@@ -6,22 +6,25 @@ metadata:
   labels:
     app.kubernetes.io/version: "0.8.0-dev"
   annotations:
-    tekton.dev/pipelines.minVersion: "0.24.x"
+    tekton.dev/pipelines.minVersion: "0.44.x"
     tekton.dev/categories: infrastructure
     tekton.dev/tags: infrastructure, aws, fedora
     tekton.dev/displayName: "aws manager"
-    tekton.dev/platforms: "linux/amd64"
+    tekton.dev/platforms: "linux/amd64,inux/arm64"
 spec:
   description: |
     Task provision a fedora dedicated on host on AWS
 
-    The machine will offer nested virtualizataion capabilities as so it should be spin on a dedicated (baremetal) machine
-
-  workspaces:
-    - name: storage
-      description: volume to store outputs to connect within the target machine + state file for the infrastructure 
-      mountPath: /opt/storage
+  volumes:
     - name: aws-credentials
+      secret:
+        secretName: $(params.secret-aws-credentials)
+    - name: host-info
+      emptyDir: {}
+
+  params:
+    # mapt params 
+    - name: secret-aws-credentials
       description: |
         ocp secret holding the aws credentials. Secret should be accessible to this task.
 
@@ -38,22 +41,35 @@ spec:
           access-key: ${access_key}
           secret-key: ${secret_key}
           region: ${region}
-      mountPath: /opt/aws-credentials
-
-  params:
-    # mapt params 
-    - name: project-name
-      description: identifier for project. 
-    - name: backed-url
-      description: |
-        If we want to backed resources externally we can use s3 setting this param(i.e s3://existing-bucket). 
-
-        If default will be store on storage workspace at path set by param ws-output-path.
-      default: "''"
-    - name: ws-output-path
-      description: path on workspace where to store ephemeral assets related with the provisioning
+          bucket: ${bucket}
+    - name: id
+      description: identifier for the provisioned environment
     - name: operation 
       description: operation to execute within the infrastructure. Current values (create, destroy)
+    - name: host-access-secret 
+      description: name from the secret holding the host-info created during create operation. This is required only destroy operation
+      default: "''"
+
+    # Secret result ownership
+    - name: ownerKind
+      type: string
+      default: PipelineRun
+      description: |
+        The type of resource that should own the generated SpaceRequest.
+        Deletion of this resource will trigger deletion of the SpaceRequest.
+        Supported values: `PipelineRun`, `TaskRun`.
+    - name: ownerName
+      type: string
+      description: |
+        The name of the resource that should own the generated SpaceRequest.
+        This should either be passed the value of `$(context.pipelineRun.name)`
+        or `$(context.taskRun.name)` depending on the value of `ownerKind`.
+    - name: ownerUid
+      type: string
+      description: |
+        The uid of the resource that should own the generated SpaceRequest.
+        This should either be passed the value of `$(context.pipelineRun.uid)`
+        or `$(context.taskRun.uid)` depending on the value of `ownerKind`.
 
     # VM type params
     - name: arch
@@ -74,8 +90,8 @@ spec:
 
     # Fedora params
     - name: version
-      description: this task will spin a Fedora-Cloud image. This param will set the version for it. Default 40.
-      default: '40'
+      description: this task will spin a Fedora-Cloud image. This param will set the version for it. Default 41.
+      default: '41'
 
     # Topology params
     - name: airgap
@@ -94,9 +110,6 @@ spec:
       default: "''"
 
     # Control params
-    - name: remove-lock
-      description: in case a previous run fails the stack can be locked. This value allows to control if remove lock
-      default: 'true'
     - name: debug
       description: |
         Warning setting this param to true expose credentials 
@@ -106,109 +119,126 @@ spec:
       default: 'false'
 
   results:
-    - name: host
-      description: ip to connect to the provisioned machine
-    - name: username
-      description: username to connect to the provisioned machine
-    - name: key
-      description: filename for the private key. The key is located at workspace-resources-path
-    - name: bastion-host
-      description: if airgap is set we get the bastion host as result
-    - name: bastion-username
-      description: if airgap is set we get the bastion username to connect as result
-    - name: bastion-key
-      description: if airgap is set we get the bastion filename for the private key. The key is located at workspace-resources-path
-
+    - name: host-access-secret
+      description: |
+        ocp secret holding the information to connect with the target machine.
+
+          ---
+          apiVersion: v1
+          kind: Secret
+          metadata:
+            name: ${name}
+            labels:
+          type: Opaque
+          data:
+            host: ${host}
+            username: ${username}
+            id_rsa: ${id_rsa}
+            # If airgap data for bastion host
+            bastion-host: ${bastion-host}
+            bastion-username: ${bastion-username}
+            bastion-id_rsa: ${bastion-id_rsa}
   steps:
     - name: provisioner
       image: quay.io/redhat-developer/mapt:v0.8.0-dev
       imagePullPolicy: Always
+      volumeMounts:
+        - name: aws-credentials
+          mountPath: /opt/aws-credentials
+        - name: host-info
+          mountPath: /opt/host-info
       script: |
         #!/bin/sh
 
+        set -euo pipefail
         # If debug add verbosity
         if [[ $(params.debug) == "true" ]]; then
-          set -xuo   
+          set -xeuo pipefail  
         fi
 
         # Credentials
         export AWS_ACCESS_KEY_ID=$(cat /opt/aws-credentials/access-key)
         export AWS_SECRET_ACCESS_KEY=$(cat /opt/aws-credentials/secret-key)
         export AWS_DEFAULT_REGION=$(cat /opt/aws-credentials/region)
-
-        # Output folder
-        workspace_path=/opt/storage/$(params.ws-output-path)
-        mkdir -p ${workspace_path}
-
-        # Remove lock
-        if [[ $(params.remove-lock) == "true" ]]; then
-            rm -rf ${workspace_path}/.pulumi/locks/*
-        fi
+        BUCKET=$(cat /opt/aws-credentials/bucket)
 
         # Run mapt
         cmd="mapt aws fedora $(params.operation) "
-        cmd="$cmd --project-name $(params.project-name) "
-        # Set the backed url
-        if [[ $(params.backed-url) != "" ]]; then
-          cmd="$cmd --backed-url $(params.backed-url) "
-        else
-          cmd="$cmd --backed-url file://${workspace_path} "
-        fi
+        cmd+="--project-name mapt-fedora-$(params.id) "
+        cmd+="--backed-url s3://${BUCKET}/mapt/fedora/$(params.id) "
         if [[ $(params.operation) == "create" ]]; then
-          cmd="$cmd --conn-details-output ${workspace_path} " 
-          cmd="$cmd --arch $(params.arch) "
-          cmd="$cmd --cpus $(params.cpus) "
-          cmd="$cmd --memory $(params.memory) "
+          cmd+="--conn-details-output /opt/host-info " 
+          cmd+="--arch $(params.arch) "
+          cmd+="--cpus $(params.cpus) "
+          cmd+="--memory $(params.memory) "
           if [[ $(params.nested-virt) == "true" ]]; then
-            cmd="$cmd --nested-virt "
+            cmd+="--nested-virt "
           fi
-          cmd="$cmd --version $(params.version) "
+          cmd+="--version $(params.version) "
           if [[ $(params.spot) == "true" ]]; then
-            cmd="$cmd --spot "
+            cmd+="--spot "
           fi
           if [[ $(params.airgap) == "true" ]]; then
-            cmd="$cmd --airgap "
-          fi
-          if [[ $(params.tags) != "" ]]; then
-            cmd="$cmd --tags $(params.tags) "
+            cmd+="--airgap "
           fi
+          cmd+="--tags $(params.tags) "
         fi
         eval "${cmd}"
-        
-        create_exit_code=$?
-      
-        # set task results
-        cat "${workspace_path}/host" | tee $(results.host.path)
-        cat "${workspace_path}/username" | tee $(results.username.path)   
-        echo -n "id_rsa" | tee $(results.key.path)   
-        if [[ $(params.airgap) == "true" ]]; then
-          cat "${workspace_path}/bastion_host" | tee $(results.bastion-host.path)
-          cat "${workspace_path}/bastion_username" | tee $(results.bastion-username.path)   
-          echo -n "bastion_id_rsa" | tee $(results.bastion-key.path)   
-        fi
-
-        # If debug print credentials
-        if [[ $(params.debug) == "true" ]]; then
-          echo "Credentials to access target machine \n"
-          cat "${workspace_path}/host"
-          cat "${workspace_path}/username"
-          cat "${workspace_path}/id_rsa"
-          if [[ $(params.airgap) == "true" ]]; then
-            cat "${workspace_path}/bastion_host"
-            cat "${workspace_path}/bastion_username"
-            cat "${workspace_path}/bastion_id_rsa"
-          fi
-        fi
-
-        if [[ ${create_exit_code} -ne 0 ]]; then 
-          exit 1
-        fi
-
       resources:      
         requests:
           memory: "200Mi"
           cpu: "100m"
         limits:
           memory: "600Mi"
           cpu: "300m"
-
+    - name: host-info-secret
+      image: registry.redhat.io/openshift4/ose-cli:4.13@sha256:e70eb2be867f1236b19f5cbfeb8e0625737ce0ec1369e32a4f9f146aaaf68d49
+      env:
+        - name: NAMESPACE
+          value: $(context.taskRun.namespace)
+        - name: OWNER_KIND
+          value: $(params.ownerKind)
+        - name: OWNER_NAME
+          value: $(params.ownerName)
+        - name: OWNER_UID
+          value: $(params.ownerUid)  
+      volumeMounts:
+        - name: host-info
+          mountPath: /opt/host-info
+      script: |
+        #!/bin/bash
+        set -eo pipefail
+        if [[ $(params.operation) == "create" ]]; then
+        cat <<EOF > host-info.yaml
+        apiVersion: v1
+        kind: Secret
+        metadata:
+          generateName: mapt-aws-fedora-
+          namespace: $NAMESPACE
+          ownerReferences:
+          - apiVersion: tekton.dev/v1
+            kind: $OWNER_KIND
+            name: $OWNER_NAME
+            uid: $OWNER_UID
+        type: Opaque
+        data:
+          host: $(cat /opt/host-info/host | base64 -w0)
+          username: $(cat /opt/host-info/username | base64 -w0)
+          id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0)
+        EOF
+        if [[ $(params.airgap) == "true" ]]; then
+        cat <<EOF >> host-info.yaml
+          bastion-host: $(cat /opt/host-info/bastion_host | base64 -w0)
+          bastion-username: $(cat /opt/host-info/bastion_username | base64 -w0)
+          bastion-id_rsa: $(cat /opt/host-info/bastion_id_rsa | base64 -w0)
+        EOF
+        fi
+
+        if [[ $(params.debug) == "true" ]]; then
+          cat /opt/host-info/*
+        fi
+        
+        NAME=$(oc create -f host-info.yaml -o=jsonpath='{.metadata.name}')
+        echo -n "${NAME}" | tee $(results.host-access-secret.path)   
+        fi
+